Virus Encyclopedia

FTLog.A

Effects

It reaches the computer via the social network Fotolog in a link enticing users to watch a video. This information is detailed below in the section Means of transmission.

If users follow the malicious link, a website is displayed requiring users to install a certain codec in order to watch the video:

Once the codec is installed, users are redirected to a website for adults from whcih the file called SETUP.EXE is downloaded:

This file belongs to a plugin called MediaPass Plugin which, once downloaded, is installed in the computer:

Once installed, two different websites are displayed:

- The first of them belong to a website that informs users that they have won a prize and in order to get it they have to enter certain data:

- The second one is a website that contains videos for adults:

If users click on any of the images belonging to the videos, another file will be downloaded. Once this file is run, it installs a hotbar, which allows to customize and add different applications to the browser.

Additionally, it modifies the Start Page and changes it to the following, a search engine that allows to do searches of pages, videos and news, among others:

When users are browsing through the Internet, it displays different pop-up ads related to the type of websites users visit. This does not allow users to browse through the Internet as usual.

Infection strategy

FTLog.A creates the following DLLs (Dynamic Link Library) in the Windows system directory:

5SY5WVTUMOKH.DLL. It is injected into Internet Explorer in order to display pop-up ads while users are browsing through the Internet.

T-XV0Q7O-_.DLL. It is injected into Firefox in order to display pop-up ads while users are browsing through the Internet.

FTLog.A creates the following entry in the Windows Registry:

HKEY_CURRENT_USER\Software\AppDataLow\HavingFunOnline

FTLog.A modifies the following entry from the Windows Registry in order to change the Internet Explorer Start Page: